Bv9ARM.ch07.html revision ec02e04ead266ebd7796d045b41813aac5499a2b
256c49ddf8face2be2205c79158ee76db4e1b4a4Christian Maeder>BIND 9 Security Considerations</TITLE
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningCONTENT="Modular DocBook HTML Stylesheet Version 1.61
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningTITLE="BIND 9 Administrator Reference Manual"
0280e3d39b760dfda9af58cf60b397cd64638f29Christian MaederREL="PREVIOUS"
256c49ddf8face2be2205c79158ee76db4e1b4a4Christian MaederTITLE="BIND 9 Configuration Reference"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningTITLE="Troubleshooting"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningCLASS="chapter"
bc09240e7ef99954c3ef3919ccd348cccbdde7d7Sonja GröningBGCOLOR="#FFFFFF"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningTEXT="#000000"
b9445c244f52509c5fe6ed65459e98289638f4c1Sonja GröningLINK="#0000FF"
e7ce154edb906685b3fa7f6c0a764e18a4658068Christian MaederVLINK="#840084"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningALINK="#0000FF"
f553bbeec7270566223902c808cbac9b5ae45c84Sonja GröningCLASS="NAVHEADER"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningCELLPADDING="0"
e79472ac9f45b44b205357ff33965c36bfe6f765Christian MaederCELLSPACING="0"
4ef2a978e66e2246ff0b7f00c77deb7aabb28b8eChristian MaederALIGN="center"
c200224a127278d54634ca4a5079591cb989aaf3Christian Maeder>BIND 9 Administrator Reference Manual</TH
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederVALIGN="bottom"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningALIGN="center"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningVALIGN="bottom"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningVALIGN="bottom"
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningCLASS="chapter"
2018084d6189a68640c516ca3e340d879f40f0acChristian Maeder>Chapter 7. <SPAN
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningCLASS="acronym"
7f6b97541fdee30d62a0a3cfa58173212a6cd002Christian Maeder> 9 Security Considerations</A
308e5e525d705de2c8a90ff512da31c323869f56Sonja Gröning>Table of Contents</B
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningHREF="Bv9ARM.ch07.html#Access_Control_Lists"
308e5e525d705de2c8a90ff512da31c323869f56Sonja Gröning>Access Control Lists</A
b172714c339053a40393dc0cf4f9151c97695e01Till MossakowskiCLASS="command"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederCLASS="command"
a3acfcfbd58cc5529becffcda29f7de49f9500a7Christian MaederUNIX servers)</A
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederHREF="Bv9ARM.ch07.html#dynamic_update_security"
ad187062b0009820118c1b773a232e29b879a2faChristian Maeder>Dynamic Update Security</A
3cc55a325643548e442f1b673f694a2bf621f519Sonja GröningNAME="Access_Control_Lists"
f7e2a8c0a9894541a32d40e93b56245886166eb9Christian Maeder>7.1. Access Control Lists</A
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maeder>Access Control Lists (ACLs), are address match lists that
8b66de47c89e252c907c8ed3a5ccd16dbccbfb3eChristian Maederyou can set up and nickname for future use in <B
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningCLASS="command"
dfa71f78fc82bc3e69691c77b960d342b1b56257Christian Maeder>allow-notify</B
3cc55a325643548e442f1b673f694a2bf621f519Sonja GröningCLASS="command"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder>allow-query</B
3cc55a325643548e442f1b673f694a2bf621f519Sonja GröningCLASS="command"
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maeder>allow-recursion</B
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningCLASS="command"
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja GröningCLASS="command"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja Gröning>allow-transfer</B
d48085f765fca838c1d972d2123601997174583dChristian Maeder>Using ACLs allows you to have finer control over who can access
d48085f765fca838c1d972d2123601997174583dChristian Maederyour name server, without cluttering up your config files with huge
d48085f765fca838c1d972d2123601997174583dChristian Maederlists of IP addresses.</P
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederCLASS="emphasis"
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian Maeder> to use ACLs, and to
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian Maedercontrol access to your server. Limiting access to your server by
d48085f765fca838c1d972d2123601997174583dChristian Maederoutside parties can help prevent spoofing and DoS attacks against
120c9bff9059626735fc12b0399dcc9e5a62c345Christian Maederyour server.</P
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder>Here is an example of how to properly apply ACLs:</P
4ef2a978e66e2246ff0b7f00c77deb7aabb28b8eChristian MaederCLASS="programlisting"
3cc55a325643548e442f1b673f694a2bf621f519Sonja Gröning> // Set up an ACL named "bogusnets" that will block RFC1918 space,
dfa71f78fc82bc3e69691c77b960d342b1b56257Christian Maeder// which is commonly used in spoofing attacks.
308e5e525d705de2c8a90ff512da31c323869f56Sonja Gröningacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
bb027d3cacbd83dfec98beb38001f105e4918557Christian Maeder// Set up an ACL called our-nets. Replace this with the real IP numbers.
3cc55a325643548e442f1b673f694a2bf621f519Sonja Gröning allow-query { our-nets; };
308e5e525d705de2c8a90ff512da31c323869f56Sonja Gröning allow-recursion { our-nets; };
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder blackhole { bogusnets; };
308e5e525d705de2c8a90ff512da31c323869f56Sonja Gröning allow-query { any; };
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja Gröning>This allows recursive queries of the server from the outside
bb027d3cacbd83dfec98beb38001f105e4918557Christian Maederunless recursion has been previously disabled.</P
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja Gröning>For more information on how to use ACLs to protect your server,
acc0b88aa24f7228afad60770118be9950ba5a8eChristian MaederCLASS="emphasis"
dfa71f78fc82bc3e69691c77b960d342b1b56257Christian MaederHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningNAME="AEN4316"
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja GröningCLASS="command"
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="command"
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederUNIX servers)</A
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder>On UNIX servers, it is possible to run <SPAN
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederCLASS="acronym"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja GröningCLASS="emphasis"
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="command"
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maeder>) by specifying the "<TT
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="option"
29379037d0a2fc17c96c49bd343a3f276a5b34a6Christian Maederoption. This can help improve system security by placing <SPAN
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederCLASS="acronym"
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maedera "sandbox", which will limit the damage done if a server is compromised.</P
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maeder>Another useful feature in the UNIX version of <SPAN
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederCLASS="acronym"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maederability to run the daemon as an unprivileged user ( <TT
29379037d0a2fc17c96c49bd343a3f276a5b34a6Christian MaederCLASS="option"
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederCLASS="replaceable"
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederWe suggest running as an unprivileged user when using the <B
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="command"
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian Maeder>Here is an example command line to load <SPAN
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederCLASS="acronym"
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederCLASS="command"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederCLASS="command"
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian Maeder>, and to run <B
13ed13e06a5dd4aad12044ed7e7503cbe7f62990Christian MaederCLASS="command"
4ef2a978e66e2246ff0b7f00c77deb7aabb28b8eChristian MaederCLASS="command"
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederCLASS="userinput"
adfdcfa67b7f12df6df7292e238c3f9a4b637980Christian Maeder>/usr/local/bin/named -u 202 -t /var/named</B
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederNAME="AEN4339"
f7e2a8c0a9894541a32d40e93b56245886166eb9Christian Maeder>7.2.1. The <B
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian MaederCLASS="command"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder> Environment</A
bc1d1f0cdb992f8a2ae4129d8f46ea5087de6b71Christian Maeder>In order for a <B
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="command"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder> environment to
d48085f765fca838c1d972d2123601997174583dChristian Maederwork properly in a particular directory
d48085f765fca838c1d972d2123601997174583dChristian Maeder(for example, <TT
d48085f765fca838c1d972d2123601997174583dChristian MaederCLASS="filename"
f553bbeec7270566223902c808cbac9b5ae45c84Sonja Gröningyou will need to set up an environment that includes everything
0a949218a70362623507292d2f47252e900a7c1cChristian MaederCLASS="acronym"
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maeder> needs to run.
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederCLASS="acronym"
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maeder>'s point of view, <TT
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederCLASS="filename"
0a949218a70362623507292d2f47252e900a7c1cChristian Maederthe root of the filesystem. You will need to adjust the values of options like
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="command"
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningCLASS="command"
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja Gröning> Unlike with earlier versions of BIND, you will typically
3015a81bddf37523e8a2e9c4e29218d8d57b3c9bPaolo TorriniCLASS="emphasis"
0a949218a70362623507292d2f47252e900a7c1cChristian Maeder> need to compile <B
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja GröningCLASS="command"
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja Gröningstatically nor install shared libraries under the new root.
4a1eac1b489ea6212d1d66ae9d9dd8802924885cSonja GröningHowever, depending on your operating system, you may need
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maederto set up things like
308e5e525d705de2c8a90ff512da31c323869f56Sonja GröningCLASS="filename"
29379037d0a2fc17c96c49bd343a3f276a5b34a6Christian MaederCLASS="filename"
adfdcfa67b7f12df6df7292e238c3f9a4b637980Christian MaederCLASS="filename"
0a949218a70362623507292d2f47252e900a7c1cChristian MaederCLASS="filename"
308e5e525d705de2c8a90ff512da31c323869f56Sonja GröningNAME="AEN4357"
0a949218a70362623507292d2f47252e900a7c1cChristian Maeder>7.2.2. Using the <B
308e5e525d705de2c8a90ff512da31c323869f56Sonja GröningCLASS="command"
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder>Prior to running the <B
308e5e525d705de2c8a90ff512da31c323869f56Sonja GröningCLASS="command"
0a949218a70362623507292d2f47252e900a7c1cChristian MaederCLASS="command"
0a949218a70362623507292d2f47252e900a7c1cChristian Maeder> utility (to change file access and
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maedermodification times) or the <B
0a949218a70362623507292d2f47252e900a7c1cChristian MaederCLASS="command"
0bbf8016424222f40f8cf8dc912632cd93bd5429Sonja Gröningto which you want <SPAN
dfa71f78fc82bc3e69691c77b960d342b1b56257Christian MaederCLASS="acronym"
0747dcf8f71ed2be4410d811364fcd8d13e6a0f9Sonja Gröningto write. Note that if the <B
0747dcf8f71ed2be4410d811364fcd8d13e6a0f9Sonja GröningCLASS="command"
c8af0e935919ab2d579a649f57cafb333ee971dfSonja Gröning> daemon is running as an
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja Gröningunprivileged user, it will not be able to bind to new restricted ports if the
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maederserver is reloaded.</P
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningNAME="dynamic_update_security"
0a949218a70362623507292d2f47252e900a7c1cChristian Maeder>7.3. Dynamic Update Security</A
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maeder>Access to the dynamic
0a949218a70362623507292d2f47252e900a7c1cChristian Maederupdate facility should be strictly limited. In earlier versions of
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian MaederCLASS="acronym"
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja Gröning> the only way to do this was based on the IP
fbd9485e027b53cca7e090991da2b155d680f2f4Sonja Gröningaddress of the host requesting the update, by listing an IP address or
c200224a127278d54634ca4a5079591cb989aaf3Christian Maedernetwork prefix in the <B
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="command"
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja Gröning>allow-update</B
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja Gröning> zone option.
7de39d39bc1700cc8a9bb9df90b920aad9e18d4aChristian MaederThis method is insecure since the source address of the update UDP packet
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maederis easily forged. Also note that if the IP addresses allowed by the
6e39bfd041946fce4982ac89834be73fd1bfb39aChristian MaederCLASS="command"
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maeder>allow-update</B
d5ef5a29a89fa5548f81fcd49fcf0ffda69d45b0Christian Maeder> option include the address of a slave
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja Gröningserver which performs forwarding of dynamic updates, the master can be
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maedertrivially attacked by sending the update to the slave, which will
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maederforward it to the master with its own source IP address causing the
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja Gröningmaster to approve it without question.</P
7de39d39bc1700cc8a9bb9df90b920aad9e18d4aChristian Maeder>For these reasons, we strongly recommend that updates be
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maedercryptographically authenticated by means of transaction signatures
c8af0e935919ab2d579a649f57cafb333ee971dfSonja Gröning(TSIG). That is, the <B
d1012ae182d765c4e6986029d210b9e7b48de205Christian MaederCLASS="command"
c8af0e935919ab2d579a649f57cafb333ee971dfSonja Gröning>allow-update</B
c8af0e935919ab2d579a649f57cafb333ee971dfSonja Gröning> option should
f7e2a8c0a9894541a32d40e93b56245886166eb9Christian Maederlist only TSIG key names, not IP addresses or network
f7e2a8c0a9894541a32d40e93b56245886166eb9Christian Maederprefixes. Alternatively, the new <B
f7e2a8c0a9894541a32d40e93b56245886166eb9Christian MaederCLASS="command"
9d75ab580dbf51b7ca60903fb32e7f38d939d326Christian Maeder>update-policy</B
cf13127b62c0282202ad00844e742a22c84cfac6Christian Maederoption can be used.</P
d48085f765fca838c1d972d2123601997174583dChristian Maeder>Some sites choose to keep all dynamically updated DNS data
364f0bb3cfc316e11127bf22366c6b4c9c3c61dcChristian Maederin a subdomain and delegate that subdomain to a separate zone. This
d48085f765fca838c1d972d2123601997174583dChristian Maederway, the top-level zone containing critical data such as the IP addresses
d48085f765fca838c1d972d2123601997174583dChristian Maederof public web and mail servers need not allow dynamic update at
cf13127b62c0282202ad00844e742a22c84cfac6Christian MaederCLASS="NAVFOOTER"
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningCELLPADDING="0"
0d0c6045732f0dcc9c05c05c3efa0d5c5f8e8cc3Sonja GröningCELLSPACING="0"
0a949218a70362623507292d2f47252e900a7c1cChristian MaederALIGN="center"
0747dcf8f71ed2be4410d811364fcd8d13e6a0f9Sonja GröningCLASS="acronym"
0747dcf8f71ed2be4410d811364fcd8d13e6a0f9Sonja Gröning> 9 Configuration Reference</TD
0747dcf8f71ed2be4410d811364fcd8d13e6a0f9Sonja GröningALIGN="center"
c8af0e935919ab2d579a649f57cafb333ee971dfSonja Gröning>Troubleshooting</TD